Dr. Soumyo Maity and Lokesh Balu from Dell Technologies presented a new control-based approach to threat modeling at SACON 2020 in Bangalore, India. Their approach maps threats identified through traditional techniques like STRIDE directly to security controls. This makes threat modeling more scalable, developer-centric, and integrated with the software development lifecycle. A case study demonstrated how identifying threats based on failed security controls can complement traditional threat modeling. The control-based approach was presented as an effective way to address challenges of complexity, resources, and agility in modern software development.
(SACON) Satish Sreenivasaiah - DevSecOps Tools and BeyondPriyanka Aash
This session will provide details on the usage of OSS tools to secure your dev and ops lifecycle. It covers tools used in application, host and network security assessments for both monolithic and Microservices based architectures. The session also covers usage of OSS tools for runtime application self-protection. Apart from tools in development phase, the session provides insights on building secure design into the product via threat modeling tool.
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...Priyanka Aash
Open Source technologies are being widely adopted to help SOC / DevSecOps teams in day to day operations. We'll be showcasing how we've built our SIEM using Apache Metron with a custom SOAR layer - Blitz over it to alert and respond to threats in real time. We'll deep dive into the architecture of both platforms and demonstrate various use cases covering cloud infra, endpoint devices, outbound traffic and perimeter security threats. We'll also present how to automate remediation to alerts and scale the setup for orchestration and threat hunting.
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...Priyanka Aash
Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. K8s groups containers that make up an application into logical units for easy management and discovery. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation. As organizations accelerate their adoption of containers and container orchestrators, they will need to take necessary steps to protect such a critical part of their compute infrastructure.
How this topic is relevant 1 out of 5 organization going for container installation Container security attack vectors are rising Recently major vulnerability discovered in containers and got good media attention Duration (Mentioned on sacon.io, if not as per program committee call).
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...Priyanka Aash
Based on recent research of mine this will be a Hands-on demonstration of Docker and Kubernetes exploitation and a deep dive on how to achieve remote code execution through low hanging fruits of docker and Kubernetes.
(SACON) Vandana Verma - Living In A World of Zero TrustPriyanka Aash
As now everything is moving to cloud, all the applications are accessible from anywhere and everywhere. However, No one wants their private information to be compromised and openly available for the world. We have been taking so many precautions, however breaches continue to happen. How should we fix this?
Organisations have been talking about Zero Trust lately and this has become a buzzword. The talk will explore Zero Trust beyond the buzzword and describe what exactly is Zero Trust and why it is so important to keep organisations safe. How can we implement or deploy Zero Trust in an organisation while keeping the current and future state of an organization in mind. What should be the business model to move any organisation towards Zero Trust Architecture and what all policies need to be implemented to achieve the same.
In the end, certain recommendations will be shared with the participants as a takeaway from my own experiences while working towards implementing the Zero Trust.
(SACON) Satish Sreenivasaiah - DevSecOps Tools and BeyondPriyanka Aash
This session will provide details on the usage of OSS tools to secure your dev and ops lifecycle. It covers tools used in application, host and network security assessments for both monolithic and Microservices based architectures. The session also covers usage of OSS tools for runtime application self-protection. Apart from tools in development phase, the session provides insights on building secure design into the product via threat modeling tool.
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...Priyanka Aash
Open Source technologies are being widely adopted to help SOC / DevSecOps teams in day to day operations. We'll be showcasing how we've built our SIEM using Apache Metron with a custom SOAR layer - Blitz over it to alert and respond to threats in real time. We'll deep dive into the architecture of both platforms and demonstrate various use cases covering cloud infra, endpoint devices, outbound traffic and perimeter security threats. We'll also present how to automate remediation to alerts and scale the setup for orchestration and threat hunting.
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...Priyanka Aash
Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. K8s groups containers that make up an application into logical units for easy management and discovery. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation. As organizations accelerate their adoption of containers and container orchestrators, they will need to take necessary steps to protect such a critical part of their compute infrastructure.
How this topic is relevant 1 out of 5 organization going for container installation Container security attack vectors are rising Recently major vulnerability discovered in containers and got good media attention Duration (Mentioned on sacon.io, if not as per program committee call).
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...Priyanka Aash
Based on recent research of mine this will be a Hands-on demonstration of Docker and Kubernetes exploitation and a deep dive on how to achieve remote code execution through low hanging fruits of docker and Kubernetes.
(SACON) Vandana Verma - Living In A World of Zero TrustPriyanka Aash
As now everything is moving to cloud, all the applications are accessible from anywhere and everywhere. However, No one wants their private information to be compromised and openly available for the world. We have been taking so many precautions, however breaches continue to happen. How should we fix this?
Organisations have been talking about Zero Trust lately and this has become a buzzword. The talk will explore Zero Trust beyond the buzzword and describe what exactly is Zero Trust and why it is so important to keep organisations safe. How can we implement or deploy Zero Trust in an organisation while keeping the current and future state of an organization in mind. What should be the business model to move any organisation towards Zero Trust Architecture and what all policies need to be implemented to achieve the same.
In the end, certain recommendations will be shared with the participants as a takeaway from my own experiences while working towards implementing the Zero Trust.
Pactera - Cloud, Application, Cyber Security Trend 2016Kyle Lai
In this presentation, we discuss about the trend on application, cloud and cyber security. We analyze surveys on several hundred of companies to show the trend on security concerns, threats, and what controls companies are looking to do.
It also introduce Pactera's cybersecurity capabilities in providing end-to-end managed services for application security testing, secure code review, penetration testing, application security - secure coding practice training, third-party supplier security risk assessment, data governance and ISO 27001 based assessments.
Building Monitoring Framework
Thnks you Ralali, DevOps Indonesia, IDDevops Member dan para peserta event meetup malam ini
Presentasi bisa di akses di: https://www.slideshare.net/isnuryusuf/devops-indonesia-presentation-monitoring-framework
Video Record bisa di lihat di:
- https://www.youtube.com/watch?v=cyopfqHxMqU
- https://www.youtube.com/watch?v=V_HYxs6IUxM
Last year, 106 unknown malware hit an organization every hour. And, 83 percent of organizations had existing bot infections. To get a clear view of what's trending in the threat landscape, read Check Point’s annual security report.
Software-Defined Segmentation Done Easily, Quickly and RightSBWebinars
Recently there has been a realization that traditional methods of segmentation like VLANs and Firewalls are not suitable for today’s rapidly changing enterprise environments.
In this webinar come learn about how modern software-defined segmentation solutions:
Start with visibility.
Provide enterprises with easy ways to identify and label workloads.
Provide easy to implement, granular enforcement that goes way beyond IP address and port but is able to lock down by process, user and domain.
Enables DevOp automation, provisioning and management.
Is decoupled from and works in an agnostic fashion across every enterprise platform.
Provides unparalleled security while enabling compliance and ongoing compliance validation.
In today’s complex and dynamic environment with growing digital business demands, IT often struggles to gain adequate visibility and control, and to ensure compliance with security policies and regulatory guidelines. Effective security policy management that accommodates the dynamic nature of today’s organizations is a key challenge for many IT departments.
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
Modern elastic cloud infrastructure is fundamentally breaking traditional security approaches. Public cloud has no natural perimeter and network segmentation leaving individual cloud servers exposed. In private cloud, malicious East-West traffic inside the network is a serious threat. As new workloads are added and retired dynamically, change control is difficult, and updating granular firewall rules and security policies becomes a risky, manual process. Join us and learn the 6 Critical Criteria to secure your public, private or hybrid cloud – on-demand, anywhere, at any scale.
According to Google, almost 80 percent of websites loaded in Chrome are over HTTPS, and Zscaler ThreatLabZ research shows that more than 50 percent of malware now hides in SSL/TLS-encrypted traffic. The problem is that many organizations don’t have the budget to fully inspect encrypted traffic, so SSL becomes a blindspot and IT is faced with a major compromise. Meanwhile, hackers are getting more and more creative in how they deliver malware in SSL/TLS, which creates new inspection challenges.
Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products.
During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
Pactera - Cloud, Application, Cyber Security Trend 2016Kyle Lai
In this presentation, we discuss about the trend on application, cloud and cyber security. We analyze surveys on several hundred of companies to show the trend on security concerns, threats, and what controls companies are looking to do.
It also introduce Pactera's cybersecurity capabilities in providing end-to-end managed services for application security testing, secure code review, penetration testing, application security - secure coding practice training, third-party supplier security risk assessment, data governance and ISO 27001 based assessments.
Building Monitoring Framework
Thnks you Ralali, DevOps Indonesia, IDDevops Member dan para peserta event meetup malam ini
Presentasi bisa di akses di: https://www.slideshare.net/isnuryusuf/devops-indonesia-presentation-monitoring-framework
Video Record bisa di lihat di:
- https://www.youtube.com/watch?v=cyopfqHxMqU
- https://www.youtube.com/watch?v=V_HYxs6IUxM
Last year, 106 unknown malware hit an organization every hour. And, 83 percent of organizations had existing bot infections. To get a clear view of what's trending in the threat landscape, read Check Point’s annual security report.
Software-Defined Segmentation Done Easily, Quickly and RightSBWebinars
Recently there has been a realization that traditional methods of segmentation like VLANs and Firewalls are not suitable for today’s rapidly changing enterprise environments.
In this webinar come learn about how modern software-defined segmentation solutions:
Start with visibility.
Provide enterprises with easy ways to identify and label workloads.
Provide easy to implement, granular enforcement that goes way beyond IP address and port but is able to lock down by process, user and domain.
Enables DevOp automation, provisioning and management.
Is decoupled from and works in an agnostic fashion across every enterprise platform.
Provides unparalleled security while enabling compliance and ongoing compliance validation.
In today’s complex and dynamic environment with growing digital business demands, IT often struggles to gain adequate visibility and control, and to ensure compliance with security policies and regulatory guidelines. Effective security policy management that accommodates the dynamic nature of today’s organizations is a key challenge for many IT departments.
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
Modern elastic cloud infrastructure is fundamentally breaking traditional security approaches. Public cloud has no natural perimeter and network segmentation leaving individual cloud servers exposed. In private cloud, malicious East-West traffic inside the network is a serious threat. As new workloads are added and retired dynamically, change control is difficult, and updating granular firewall rules and security policies becomes a risky, manual process. Join us and learn the 6 Critical Criteria to secure your public, private or hybrid cloud – on-demand, anywhere, at any scale.
According to Google, almost 80 percent of websites loaded in Chrome are over HTTPS, and Zscaler ThreatLabZ research shows that more than 50 percent of malware now hides in SSL/TLS-encrypted traffic. The problem is that many organizations don’t have the budget to fully inspect encrypted traffic, so SSL becomes a blindspot and IT is faced with a major compromise. Meanwhile, hackers are getting more and more creative in how they deliver malware in SSL/TLS, which creates new inspection challenges.
Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products.
During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
2018 11-19 improving business agility with security policy automation finalAlgoSec
The traditional network is bursting at the seams. Good old perimeter security, enforced by traditional firewall protection, is being joined by distributed firewalls, public clouds and a shared-responsibility security model.
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
One of the reasons application security is so challenging to address is that it spans multiple teams within an organization. Development teams build software, security testing teams find vulnerabilities, security operations staff manage applications in production and IT audit organizations make sure that the resulting software meets compliance and governance requirements. In addition, each team has a different toolbox they use to meet their goals, ranging from scanning tools, defect trackers, Integrated Development Environments (IDEs), WAFs and GRC systems. Unfortunately, in most organizations the interactions between these teams is often strained and the flow of data between these disparate tools and systems is non-existent or tediously implemented manually.
In today’s presentation, we will demonstrate how leading organizations are breaking down these barriers between teams and better integrating their disparate tools to enable the flow of application security data between silos to accelerate and simplify their remediation efforts. At the same time, we will show how to collect the proper data to measure the performance and illustrate the improvement of the software security program. The challenges that need to be overcome to enable teams and tools to work seamlessly with one another will be enumerated individually. Team and tool interaction patterns will also be outlined that reduce the friction that will arise while addressing application security risks. Using open source products such as OWASP ZAP, ThreadFix, Bugzilla and Eclipse, a significant amount of time will also be spent demonstrating the kinds of interactions that need to be enabled between tools. This will provide attendees with practical examples on how to replicate a powerful, integrated Application Security program within their own organizations. In addition, how to gather program-wide metrics and regularly calculate measurements such as mean-time-to-fix will also be demonstrated to enable attendees to monitor and ensure the continuing health and performance of their Application Security program.
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
Is that requirement from NIST 800-53 Controls or NIST 800-190? If you've ever wondered where those pesky cloud security controls come from, this meetup is for you.
In this Meetup, Jame Strong and Jason Lutz from Contino (an AWS Premier Consulting Partner) will discuss how Contino views DevSecOps. They will review the Benefits of DevSecOps:
- Cost Reduction
- Speed of Delivery
- Speed of Recovery
- Security is Federated
- DevSecOps Fosters a Culture of Openness and Transparency
During this Meetup, James and Jason will show you how to harden and secure a container pipeline and AWS network. Briefly, they will demonstrate how to deploy accounts with a Cloud Security Posture and review security best practices from AWS, CIS, and NIST. They will also touch on how to integrate changes in your infrastructure pipelines to adhere to your Enterprise's Security Compliance Guidelines.
If you're interested in integrating security and compliance into your Application and Infrastructure pipelines to realize the benefits of DevSecOps, join us in this virtual meetup.
As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Secure application deployment in the age of continuous deliveryTim Mackey
As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Most application security efforts are misguided and ineffective. Why? Because while many security practitioners have a good understanding of how to find application vulnerabilities and exploit them, they often don't understand how software development teams work, especially in Agile/DevOps organizations. This leads to flawed programs. If we want to build secure applications, we have to meet development teams where they are by embedding security into their processes.
Similar to (SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer-centric Threat Modeling for secure software development (20)
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Epistemic Interaction - tuning interfaces to provide information for AI support
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer-centric Threat Modeling for secure software development
1. SACON
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
A Scalable, Control-based, Developer-centric Threat Modeling for
Secure Software Development
Dr. Soumyo Maity, And Lokesh Balu
Dell Technologies
Principal & Senior Principal Engineer
2. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda
3. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda
4. SACON 2020
• The process of determining
• the range of potential security threats,
• the risks associated with them, and
• the appropriate risk responses
… at design time.
(Identify design- and architecture- level security problems)
• Threat modeling = the process
• Threat model = result of the process
Threat Model 101
5. SACON 2020
• Produce software that’s secure by design
• Because attackers think differently
• Creator blindness/new perspective
• Find problems when there’s time to fix them
• Predictably and effectively find security problems early in the
process
Why do Threat Model?
“Bad guys will do it later if the good guys are lazy”
6. SACON 2020
How to do Threat Model
Assets to
protect
Threats to
consider
Objective
s to meet
Requirement
s to
implemen
t
Risks to
evaluate
Controls
to
Implemen
t
Monitor
for Gaps
STRIDE DREAD PASTA
LINDDUN
Attack
Tree
7. SACON 2020
STRIDE
• Illegally accessing and then using another user's authentication informationSpoofing identity
• Malicious modification
• Unauthorized changesTampering with data
• Deny performing an malicious action
• Inability of a system to counter repudiation threatsRepudiation
• Exposure of information to individuals not supposed to accessInformation disclosure
• Deny service to valid users
• Threats to system availability and reliabilityDenial of service
• Unprivileged user gains privileged access to compromise system
• Effectively penetrated and become part of the trusted systemElevation of privilege
8. SACON 2020
PASTA (Process for Attack Simulation and Threat Analysis)
• Identify inherent application risk profile and address other business impactDefine Business Context
• Identify bottlenecks in technology stackDefine Technology Scope
• Focus on understanding the data flows amongst application components and
servicesApplication Decomposition
• Review threat assertions from data within environment and deployment modelThreat Analysis
• Identify the vulnerabilities and weaknesses within the application design and
code
Weakness / Vulnerability
Identification
• Focus on emulating attacks that could exploit identified weaknesses/
vulnerabilitiesAttack Simulation
• Remediate vulnerabilities or weaknesses in code or designResidual Risk Analysis
9. SACON 2020
DREAD
• how bad would an attack be?Damage
• how easy is it to reproduce the attack?Reproducibility
• how much work is it to launch the attack?Exploitability
• how many people will be impacted?Affected users
• how easy is it to discover the threat?Discoverability
10. SACON 2020
LINDDUN (Linkability, identifiability, nonrepudiation, detectability, disclosure of information, unawareness,
noncompliance)
• High Level System DescriptionDefine DFD
• Map LINDDUN with DFDMap Privacy
• Privacy Threat Patterns in form of treeIdentify Threat Scenarios
• Risk assessment techniquesPrioritize Threat
• Map privacy threat to requirementElicit Privacy Threat
• Select Privacy Enhancing TechnologiesMitigation Strategy
12. SACON 2020
• One thing common in all conventional Threat Models
• Threat Library based approach
• Threat Library is:
• Too cryptic for the developers
• Threats are not directly mapped with an action / activity
• Usually static
• There are tools:
• But, with limitation
• Costly
• Requires skill to configure as per business need
Threat Library Based Approach
13. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda
14. SACON 2020
Scalability
• Modeling Threat is no easy job
• Who cares for security expert’s jargon?
• Too conceptual, abstract and prescriptive
• Architecture is becoming more and more complex
• Considering supply chain - a mammoth task
• Security skill resource gap
• Development is becoming more and more agile – DevOps
15. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda
16. SACON 2020
What is a Security Control?
Reference : ISO 27034
CONTROLS:
Methods, policies, procedures to protect
• assets
• accuracy & reliability of records
• adherence to management standards
18. SACON 2020
OWASP Top 10 Security Controls
• C1: Define Security Requirements
• C2: Leverage Security Frameworks and Libraries
• C3: Secure Database Access
• C4: Encode and Escape Data
• C5: Validate All Inputs
• C6: Implement Digital Identity
• C7: Enforce Access Controls
• C8: Protect Data Everywhere
• C9: Implement Security Logging and Monitoring
• C10: Handle All Errors and Exceptions
19. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda
20. SACON 2020
The Process Flow
Threats
ControlVerifyVerification
Activities
Threat Intelligence,
PSIRT, CSIRT, CWE,
ATT&CK, CVE
TVC Triad
Control
Catalog,
ANF
21. SACON 2020
The Revised Process Flow
Threats
ControlVerify
Control
Catalog,
ANF
Scans,
Manual
Testing
etc.
TVC Triad
Threat Intelligence,
PSIRT, CSIRT, CWE,
ATT&CK, CVE
22. SACON 2020
The Revised Process Flow with Update
Threats
ControlVerify
Control
Catalog,
ANF
Scans,
Manual
Testing
etc.
TVC Triad
Threat Intelligence,
PSIRT, CSIRT, CWE,
ATT&CK, CVE
23. SACON 2020
What does that mean?
• Let’s talk in developer’s language
– Instead of non-repudiation tell them, “hey, use digital signature”
– Instead of saying tampering or MITM, tell them “Secure data transport via TLS 1.2”
– Etc.
• Threat Library and Control Catalog do not have 1-1 mapping
• Give a finite set of controls. Make it complete, sound and correct
• Failure of a control = Threat
24. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda
25. SACON 2020
How the Control-based approach helps?
• Less dependency on Security experts
• Can be automated, integrated to pipeline
• Faster
• Standard
• Adaptive and Dynamic
• Complements traditional threat models
– Still you need them for high value products in design phase
26. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda
30. SACON 2020
Manual Threat Model
• Threat Library
– A list of all possible threats
▪ Attacks on Incomplete Mediation
▪ Attacks on Certificate Validation
▪ Privilege Escalation Attacks
▪ Attacks on Insecure Cryptography
▪ Attacks on Network Communications
▪ Attacks on Secrets
▪ Attacks on Weak Session Management
▪ Attacks on Web Interfaces
▪ Attacks on Web Services
▪ Attacks on Objects
▪ Injection Attacks
▪ Buffer Overflow Attacks
▪ File Upload Attacks
▪ Denial of Service Attacks
▪ Attacks on Installation Packages/Update
▪ Attacks on Security Misconfigurations
▪ Attacks on Audit Logs
▪ Attacks on Embedded Components
▪ Attacks on Datastores
31. SACON 2020
Manual Threat Model
▪ Attacks on Incomplete Mediation
▪ Unrestricted access
▪ Authentication downgrade
▪ Authorization bypass
▪ Tampering through filesystem access
▪ Client bypass
▪ Process spoofing
▪ Weak access controls
▪ Capture/replay attacks
▪ Tampering in transit
• Threat Library
– A list of all possible threats
32. SACON 2020
Manual Report
Unique Threat Identifier Free Form Threat Identifier
Element(s) involved in the threat Base Metrics
(CVSSv3)
Base Metrics CVSSv3 vector
Detailed explanation of “use case” constructed to calculate the CVSSv3 score
Threat Library Identifier, CWE
Technical description of the threat Risk Registry Index
(If a risk registry exists for the
product)
Threat Status: Known/Unknown
Planned resolution
Technical Mitigation
Business Mitigation
34. SACON 2020
Control to Threat Map
• Instead of Threat Library Let us identify threats by using Control Cata
• Example, for a threat Cross-Site Scripting
Controls Threat
Web Security Testing (DAST) Cross-site scripting
Static analysis using a tool that is able to discover XSS issues
in the languages utilized
Cross-site scripting
Perform test for reflected cross-site scripting. Cross-site scripting
Perform test for stored cross-site scripting. Cross-site scripting
A standard convention to mitigate these threats is agreed
upon by the development team and is strictly enforced by
coding conventions
Cross-site scripting
Penetration Test Cross-site scripting
35. SACON 2020
The approach is
• Scalable
• Control-based
• Developer centric
• Effective
• Secure
36. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda
37. SACON 2020
Key Insights
2. Critical success factors for the threat modelling exercise lies in adopting a structured approach
3. Adopt flipped model : Strive for control centric approach
• STRIDE technique may be good in enumerating the threats
however does not aid in developing countermeasures / mitigation
plan
• Attack Tree provides an overview about the attack surface at some
level of abstraction which results in not capturing data essential for
understanding the threat scenario.
• Attack Library may provide information about the attack vectors
and be suitable as checklist model, it may not contribute to the
completeness we expect in the exercise.
38. SACON 2020
Takeaways
• Utilize a combination of each of these techniques to perform the various
activities in the threat modelling process
• Critical success factors for the threat modelling exercise lies in adopting
a structured approach
• Adopt flipped model : Strive for control centric approach
2. Critical success factors for the threat modelling exercise lies in adopting a structured approach
3. Adopt flipped model : Strive for control centric approach